Mike Meyers' CompTIA Security+ Certification Guide, Third Edition (Exam SY0-601)
By Mike Meyers and Scott Jernigan
5/5
()
About this ebook
Take the latest version of the CompTIA Security+ exam (exam SY0-601) with confidence using the comprehensive information contained in this highly effective self-study resource. Like the test, the guide goes beyond knowledge application and is designed to ensure that security personnel anticipate security risks and guard against them.
In Mike Meyers’ CompTIA Security+ Certification Guide, Third Edition (Exam SY0-601), the bestselling author and leading authority on CompTIA A+ certification brings his proven methodology to IT security. Mike covers all exam objectives in small, digestible modules that allow you to focus on individual skills as you move through a broad and complex set of skills and concepts. The book features hundreds of accurate practice questions as well as a toolbox of the author’s favorite network security related freeware/shareware.
- Provides complete coverage of every objective for exam SY0-601
- Online content includes 20+ lab simulations, video training, a PDF glossary, and 180 practice questions
- Written by computer security and certification experts Mike Meyers and Scott Jernigan
Read more from Mike Meyers
Mike Meyers' CompTIA A+ Certification Passport, Seventh Edition (Exams 220-1001 & 220-1002) Rating: 2 out of 5 stars2/5Mike Meyers' CompTIA A+ Certification Passport, Sixth Edition (Exams 220-901 & 220-902) Rating: 4 out of 5 stars4/5Mike Meyers' CompTIA Network+ Certification Passport, Sixth Edition (Exam N10-007) Rating: 1 out of 5 stars1/5Maximize The Middle: Managing Your Ministry's Mid-Level Donors Rating: 0 out of 5 stars0 ratings
Related to Mike Meyers' CompTIA Security+ Certification Guide, Third Edition (Exam SY0-601)
Related ebooks
Mike Meyers CompTIA Security+ Certification Passport, Sixth Edition (Exam SY0-601) Rating: 5 out of 5 stars5/5CompTIA Security+ Certification Study Guide, Fourth Edition (Exam SY0-601) Rating: 5 out of 5 stars5/5CompTIA Security+ Certification Practice Exams, Fourth Edition (Exam SY0-601) Rating: 5 out of 5 stars5/5CEH Certified Ethical Hacker All-in-One Exam Guide, Third Edition Rating: 4 out of 5 stars4/5CompTIA A+ Certification Study Guide, Ninth Edition (Exams 220-901 & 220-902) Rating: 0 out of 5 stars0 ratingsCompTIA CySA+ Practice Tests: Exam CS0-002 Rating: 0 out of 5 stars0 ratingsCompTIA Cloud+ Certification All-in-One Exam Guide (Exam CV0-003) Rating: 5 out of 5 stars5/5CASP+ CompTIA Advanced Security Practitioner Study Guide: Exam CAS-003 Rating: 0 out of 5 stars0 ratingsCISSP Practice Exams, Fifth Edition Rating: 1 out of 5 stars1/5CEH Certified Ethical Hacker Practice Exams, Third Edition Rating: 0 out of 5 stars0 ratingsCompTIA CySA+ Practice Tests: Exam CS0-001 Rating: 0 out of 5 stars0 ratingsCompTIA Security+ Study Guide: Exam SY0-501 Rating: 4 out of 5 stars4/5Security+ Study Guide Rating: 0 out of 5 stars0 ratingsPrinciples of Computer Security: CompTIA Security+ and Beyond Lab Manual (Exam SY0-601) Rating: 0 out of 5 stars0 ratingsApplied Network Security Rating: 0 out of 5 stars0 ratingsCompTIA Network+ Practice Tests: Exam N10-008 Rating: 0 out of 5 stars0 ratingsCISSP Official (ISC)2 Practice Tests Rating: 5 out of 5 stars5/5CompTIA Security+ Practice Tests: Exam SY0-601 Rating: 0 out of 5 stars0 ratingsCISA Certified Information Systems Auditor All-in-One Exam Guide, Third Edition Rating: 5 out of 5 stars5/5Introduction to US Cybersecurity Careers Rating: 3 out of 5 stars3/5CompTIA Security+ Review Guide: Exam SY0-501 Rating: 1 out of 5 stars1/5Cybersecurity for Beginners : Learn the Fundamentals of Cybersecurity in an Easy, Step-by-Step Guide: 1 Rating: 0 out of 5 stars0 ratingsCISSP Exam Study Guide: NIST Framework, Digital Forensics & Cybersecurity Governance Rating: 5 out of 5 stars5/5The Official (ISC)2 CCSP CBK Reference Rating: 0 out of 5 stars0 ratingsBuilding Effective Cybersecurity Programs: A Security Manager’s Handbook Rating: 4 out of 5 stars4/5Microsoft Certified Azure Fundamentals All-in-One Exam Guide (Exam AZ-900) Rating: 5 out of 5 stars5/5Principles of Computer Security: CompTIA Security+ and Beyond, Sixth Edition (Exam SY0-601) Rating: 5 out of 5 stars5/5CDPSE Certified Data Privacy Solutions Engineer All-in-One Exam Guide Rating: 0 out of 5 stars0 ratings
Certification Guides For You
Coding All-in-One For Dummies Rating: 4 out of 5 stars4/5Coding For Dummies Rating: 5 out of 5 stars5/5CompTIA A+ Complete Review Guide: Core 1 Exam 220-1101 and Core 2 Exam 220-1102 Rating: 5 out of 5 stars5/5Understanding Cisco Networking Technologies, Volume 1: Exam 200-301 Rating: 0 out of 5 stars0 ratingsPHR and SPHR Professional in Human Resources Certification Complete Study Guide: 2018 Exams Rating: 0 out of 5 stars0 ratingsCompTIA A+ CertMike: Prepare. Practice. Pass the Test! Get Certified!: Core 1 Exam 220-1101 Rating: 0 out of 5 stars0 ratingsCCNA Certification Study Guide, Volume 2: Exam 200-301 Rating: 0 out of 5 stars0 ratingsCompTIA Security+ Study Guide: Exam SY0-601 Rating: 5 out of 5 stars5/5CompTIA A+ Certification All-in-One For Dummies Rating: 3 out of 5 stars3/5CompTIA Network+ CertMike: Prepare. Practice. Pass the Test! Get Certified!: Exam N10-008 Rating: 0 out of 5 stars0 ratingsCompTIA Security+ Get Certified Get Ahead: SY0-701 Study Guide Rating: 5 out of 5 stars5/5CompTIA Network+ Certification Guide (Exam N10-008): Unleash your full potential as a Network Administrator (English Edition) Rating: 0 out of 5 stars0 ratingsPHR and SPHR Professional in Human Resources Certification Complete Practice Tests: 2018 Exams Rating: 4 out of 5 stars4/5CompTIA Network+ Review Guide: Exam N10-008 Rating: 0 out of 5 stars0 ratingsMicrosoft Office 365 for Business Rating: 4 out of 5 stars4/5How to Get Started as a Technical Writer Rating: 4 out of 5 stars4/5Comptia A+ 220-901 Q & A Study Guide: Comptia 21 Day 900 Series, #2 Rating: 5 out of 5 stars5/5Comptia Network+ In 21 Days N10-006 Study Guide: Comptia 21 Day 900 Series, #3 Rating: 0 out of 5 stars0 ratingsCISSP Official (ISC)2 Practice Tests Rating: 5 out of 5 stars5/5CompTIA Network+ Practice Tests: Exam N10-008 Rating: 0 out of 5 stars0 ratingsAWS Certified Cloud Practitioner All-in-One Exam Guide (Exam CLF-C01) Rating: 5 out of 5 stars5/5CISSP Study Guide Rating: 4 out of 5 stars4/5CAPM Certified Associate in Project Management Practice Exams Rating: 5 out of 5 stars5/5Concise and Simple Guide to IP Subnets Rating: 5 out of 5 stars5/5CompTIA A+ Complete Study Guide: Exam Core 1 220-1001 and Exam Core 2 220-1002 Rating: 4 out of 5 stars4/5
Reviews for Mike Meyers' CompTIA Security+ Certification Guide, Third Edition (Exam SY0-601)
1 rating0 reviews
Book preview
Mike Meyers' CompTIA Security+ Certification Guide, Third Edition (Exam SY0-601) - Mike Meyers
ABOUT THE AUTHORS
Mike Meyers, CompTIA A+, CompTIA Network+, CompTIA Security+, is the industry’s leading authority on CompTIA certifications and the best-selling author of ten editions of CompTIA A+ Certification All-in-One Exam Guide (McGraw Hill). He is the president and founder of Total Seminars, LLC, a major provider of PC and network repair seminars for thousands of organizations throughout the world, and a member of CompTIA.
Scott Jernigan, CompTIA ITF+, CompTIA A+, CompTIA Network+, CompTIA Security+, MCP, is the author or co-author (with Mike Meyers) of over two dozen IT certification books, including CompTIA IT Fundamentals (ITF+) Certification All-in-One Exam Guide (McGraw Hill). He has taught seminars on building, fixing, and securing computers and networks all over the United States, including stints at the FBI Academy in Quantico, Virginia, and the UN Headquarters in New York City, New York.
About the Technical Editor
Matt Walker is currently a member of the Cyber Security Infrastructure team at Kennedy Space Center with DB Consulting. An IT security and education professional for more than 20 years, he has served in multiple positions ranging from director of the Network Training Center and a curriculum lead/senior instructor for Cisco Networking Academy on Ramstein AB, Germany, to instructor supervisor and senior instructor at Dynetics, Inc., in Huntsville, Alabama, providing onsite certification-awarding classes for (ISC)², Cisco, and CompTIA. Matt has written and contributed to numerous technical training books for NASA, Air Education and Training Command, and the US Air Force, as well as commercially (CEH Certified Ethical Hacker All-in-One Exam Guide, now in its fourth edition), and continues to train and write certification and college-level IT and IA security courses.
Copyright © 2021 by McGraw Hill. All rights reserved. Except as permitted under the United States Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication.
ISBN: 978-1-26-047370-4
MHID: 1-26-047370-8
The material in this eBook also appears in the print version of this title: ISBN: 978-1-26-047369-8, MHID: 1-26-047369-4.
eBook conversion by codeMantra
Version 1.0
All trademarks are trademarks of their respective owners. Rather than put a trademark symbol after every occurrence of a trademarked name, we use names in an editorial fashion only, and to the benefit of the trademark owner, with no intention of infringement of the trademark. Where such designations appear in this book, they have been printed with initial caps.
McGraw-Hill Education eBooks are available at special quantity discounts to use as premiums and sales promotions or for use in corporate training programs. To contact a representative, please visit the Contact Us page at www.mhprofessional.com.
Information has been obtained by McGraw Hill from sources believed to be reliable. However, because of the possibility of human or mechanical error by our sources, McGraw Hill, or others, McGraw Hill does not guarantee the accuracy, adequacy, or completeness of any information and is not responsible for any errors or omissions or the results obtained from the use of such information.
TERMS OF USE
This is a copyrighted work and McGraw-Hill Education and its licensors reserve all rights in and to the work. Use of this work is subject to these terms. Except as permitted under the Copyright Act of 1976 and the right to store and retrieve one copy of the work, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon, transmit, distribute, disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hill Education’s prior consent. You may use the work for your own noncommercial and personal use; any other use of the work is strictly prohibited. Your right to use the work may be terminated if you fail to comply with these terms.
THE WORK IS PROVIDED AS IS.
McGRAW-HILL EDUCATION AND ITS LICENSORS MAKE NO GUARANTEES OR WARRANTIES AS TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED FROM USING THE WORK, INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIA HYPERLINK OR OTHERWISE, AND EXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. McGraw-Hill Education and its licensors do not warrant or guarantee that the functions contained in the work will meet your requirements or that its operation will be uninterrupted or error free. Neither McGraw-Hill Education nor its licensors shall be liable to you or anyone else for any inaccuracy, error or omission, regardless of cause, in the work or for any damages resulting therefrom. McGraw-Hill Education has no responsibility for the content of any information accessed through the work. Under no circumstances shall McGraw-Hill Education and/or its licensors be liable for any indirect, incidental, special, punitive, consequential or similar damages that result from the use of or inability to use the work, even if any of them has been advised of the possibility of such damages. This limitation of liability shall apply to any claim or cause whatsoever whether such claim or cause arises in contract, tort or otherwise.
For the great friends from around the world who shared
this crazy lockdown with us: Andre de Gooyert, Tullowit,
Alice Pozzi, Zak Morrill, Patricia Grace, Jose Braden,
and so many others. Cheers!
—Mike and Scott
CONTENTS AT A GLANCE
Chapter 1 Risk Management
Chapter 2 Cryptography
Chapter 3 Identity and Account Management
Chapter 4 Tools of the Trade
Chapter 5 Securing Individual Systems
Chapter 6 The Basic LAN
Chapter 7 Securing Wireless LANs
Chapter 8 Securing Public Servers
Chapter 9 Securing Dedicated Systems
Chapter 10 Physical Security
Chapter 11 Protocols and Applications
Chapter 12 Testing Infrastructure
Chapter 13 Dealing with Incidents
Appendix A Exam Objective Map
Appendix B About the Online Content
Glossary
Index
CONTENTS
Acknowledgments
Introduction
Chapter 1 Risk Management
Module 1-1: Defining Risk
Asset
Likelihood
Threat Actor
Vulnerability and Threat
Circling Back to the Risk Definition
Vectors
Threat Intelligence
Module 1-2: Risk Management Concepts
Infrastructure
Security Controls
Risk Management Frameworks
Module 1-3: Security Controls
Control Categories
Control Types
Module 1-4: Risk Assessment
Risk Assessment Processes and Concepts
Quantitative Risk Assessment
Qualitative Risk Assessment
Putting It All Together: Risk Analysis
Risk Response
Module 1-5: Business Impact Analysis
BIA Basics
Types of Impact
Locating Critical Resources
Calculating Impact
Calculating Downtime
Module 1-6: Data Security and Data Protection
Organizing Data
Legal and Compliance
Data Destruction
Privacy Breaches
Module 1-7: Personnel Risk and Policies
Hiring
Onboarding
Personnel Management Policies
Training
Policies
User Habits
Offboarding
Module 1-8: Third-Party Risk and Policies
Third-Party Risk Management
Agreement Types
Questions
Answers
Chapter 2 Cryptography
Module 2-1: Cryptography Basics
Essential Building Blocks
Early Cryptography
Cryptography Components
Module 2-2: Cryptographic Methods
Symmetric Cryptography
Asymmetric Cryptography
Hashing
Limitations in Symmetric vs. Asymmetric Cryptography
Hybrid Cryptography
The Perfect Cryptosystem
Module 2-3: Symmetric Cryptosystems
DES
3DES
AES
Blowfish
Twofish
RC4
Summary of Symmetric Algorithm Characteristics
Module 2-4: Asymmetric Cryptosystems
RSA
Diffie-Hellman
PGP/GPG
ECC
ElGamal
Module 2-5: Hashing Algorithms
Hashing Process
MD5
SHA
RIPEMD
HMAC
Module 2-6: Digital Signatures and Certificates
Digital Signatures
Digital Certificates
Module 2-7: Public Key Infrastructure
Keys, Algorithms, and Standards
PKI Services
Digital Certificates and PKI Structure
Key Safety
Trust Models
Module 2-8: Cryptographic Attacks
Attack Strategies
Attackable Data
Attack Scenarios
Defending Password Storage
Other Attack Options
Module 2-9: Other Cryptosystems
Homomorphic Encryption
Blockchain
Quantum Cryptography
Questions
Answers
Chapter 3 Identity and Account Management
Module 3-1: Understanding Authentication
Identification and AAA
Identification and Authentication
Authorization
Accounting
Trust
Module 3-2: Authentication Methods and Access Controls
Authentication Methods
Biometrics
Authorization and Access Control Schemes/Models
Module 3-3: Account Management
User Accounts
Account Policies
Account Administration
Module 3-4: Point-to-Point Authentication
PAP
CHAP/MS-CHAP
Remote Access Connection and Authentication Services
Module 3-5: Network Authentication
The Challenge of LAN Access Management
Microsoft Networking
LDAP and Secure LDAP
Module 3-6: Identity Management Systems
Trust
Shared Authentication Schemes
Questions
Answers
Chapter 4 Tools of the Trade
Module 4-1: Operating System Utilities
Network Reconnaissance and Discovery
File Manipulation
Shell and Script Environments
Module 4-2: Network Scanners
Scanning Methods
Scanning Targets
Scanner Types
Module 4-3: Protocol Analyzers
Why Protocol Analyze?
Wireshark
tcpdump
Module 4-4: Monitoring Networks
Exploring Log Files
Centralizing Log Files
Security Information and Event Management
Log File Management
Questions
Answers
Chapter 5 Securing Individual Systems
Module 5-1: Types of System Attacks
Attacking Applications
Driver Manipulation
Malicious Code or Script Execution
Module 5-2: Malware
Virus
Cryptomalware/Ransomware
Worm
Trojan Horse
Potentially Unwanted Programs
Bots/Botnets
Logic Bomb
Keylogger
RAT
Rootkit
Backdoor
Module 5-3: Cybersecurity Resilience
Non-persistence
Redundancy
Diversity
Module 5-4: Securing Hardware
Physical Attacks
Securing the Systems
Securing Boot Integrity
Module 5-5: Securing Endpoints
Hardening Operating Systems
Anti-malware
Data Execution Prevention
File Integrity Monitors
Data Loss Prevention
Module 5-6: System Recycling
Clear
Purge
Destroy
Questions
Answers
Chapter 6 The Basic LAN
Module 6-1: Layer 2 LAN Attacks
ARP Poisoning
Man-in-the-Middle Attacks
MAC Flooding
MAC Cloning
Module 6-2: Organizing LANs
Configuration Management
Network Segmentation
Load Balancing
Module 6-3: Implementing Secure Network Designs
Securing the LAN
Internet Connection Firewalls
Securing Servers
Module 6-4: Virtual Private Networks
How VPNs Work
Early VPNs
IPsec VPNs
TLS VPNs
Module 6-5: Network-Based Intrusion Detection/Prevention
Detection vs. Prevention
Detecting Attacks
Configuring Network-Based IDS/IPS
Monitoring NIDS/NIPS
Endpoint Detection and Response
Questions
Answers
Chapter 7 Securing Wireless LANs
Module 7-1: Networking with 802.11
Wireless Cryptographic Protocols
Wireless Authentication Protocols
Module 7-2: Attacking 802.11
Wireless Survey/Stumbler
Packet Capture
Attack Tools
Rogue Access Point
Jamming
Packet Sniffing
Deauthentication Attack
Near-Field Communication
Replay Attacks
WEP/WPA Attacks
WPS Attacks
Wireless Peripherals
Module 7-3: Securing 802.11
Installation Considerations
Wireless Configuration
Security Posture Assessment
Questions
Answers
Chapter 8 Securing Public Servers
Module 8-1: Attacking and Defending Public Servers
Distributed Denial-of-Service
Route Security
Quality of Service
Monitoring Services
Module 8-2: Virtualization Security
Virtualization Architecture
Containers
Virtualization Risks
Using Virtualization for Security
Module 8-3: Cloud Deployment
Let’s Talk Amazon
Cloud Deployment Models
Cloud Architecture Models
Cloud Growing Pains
Module 8-4: Securing the Cloud
Cloud Security Controls
Unique Cloud Security Solutions
Questions
Answers
Chapter 9 Securing Dedicated Systems
Module 9-1: Embedded, Specialized, and Mobile Systems
Embedded Systems
SCADA/ICS
Internet of Things
Specialized Systems
Mobile Systems
Module 9-2: Connecting to Dedicated Systems
Common Communication Technologies
IoT-Specific Communication Technologies
Module 9-3: Security Constraints for Dedicated Systems
Hardware
Programming
Connectivity
Module 9-4: Implementing Secure Mobile Solutions
Mobile Device Management
Deployment Models
Inventory Control and Asset Tracking
Application Management and Security
Encryption and Authentication
Enforcement and Monitoring for Device Security
Questions
Answers
Chapter 10 Physical Security
Module 10-1: Physical Security Controls
Passive Defensive Systems and Perimeter Controls
Active Alert Systems
Manned Defensive Systems
Module 10-2: Environmental Controls
EMI and RFI Shielding
Fire Suppression
HVAC
Temperature and Humidity Controls
Hot and Cold Aisles
Environmental Monitoring
Questions
Answers
Chapter 11 Secure Protocols and Applications
Module 11-1: Secure Internet Protocols
DNS Security
SNMP
SSH
FTP
SRTP
Module 11-2: Secure Web and E-mail
HTTP
HTTPS
Module 11-3: Web Application Attacks
Injection Attacks
Hijacking and Related Attacks
Other Web Application Attacks
Module 11-4: Application Security
Development
Code Quality and Testing
Staging
Production
Quality Assurance
Getting Organized
Module 11-5: Certificates in Security
Certificate Concepts and Components
PKI Concepts
Online vs. Offline CA
PKI TLS Scenario
Types of Certificates
Certificate Formats
Key Escrow
Questions
Answers
Chapter 12 Testing Infrastructure
Module 12-1: Vulnerability Impact
Device/Hardware Vulnerabilities
Configuration Vulnerabilities
Management/Design Vulnerabilities
Module 12-2: Social Engineering
Social Engineering Goals
Principles
Types of Attacks
Module 12-3: Artificial Intelligence
Understanding Artificial Intelligence
Machine Learning Essentials
OSINT
Adversarial Artificial Intelligence
Module 12-4: Security Assessment
Threat Hunting
Vulnerability Scans
Penetration Testing
Module 12-5: Assessment Tools
Protocol Analyzer
Network Scanner
Vulnerability Scanner
Configuration Compliance Scanner
Penetration Testing with Metasploit
Specific Tools Mentioned by CompTIA
Interpreting Security Assessment Tool Results
Questions
Answers
Chapter 13 Dealing with Incidents
Module 13-1: Incident Response
Incident Response Concepts
Incident Response Procedures
Scenarios: Mitigation During and After an Incident
Module 13-2: Digital Forensics
Digital Forensics Concepts
Data Volatility
Critical Forensics Practices
Data Acquisition
Analyzing Evidence
Module 13-3: Continuity of Operations and Disaster Recovery
Risk Management Best Practices
Contingency Planning and Resilience
Functional Recovery Plans
Backup and Restore Plans and Policies
Questions
Answers
Appendix A Exam Objective Map
Exam SY0-601
Appendix B About the Online Content
System Requirements
Your Total Seminars Training Hub Account
Privacy Notice
Single User License Terms and Conditions
TotalTester Online
Other Book Resources
Video Training from Mike Meyers
TotalSim Simulations
Mike’s Cool Tools
Technical Support
Glossary
Index
ACKNOWLEDGMENTS
In general, we’d like to thank our amazing teams at McGraw Hill and KnowledgeWorks Global Ltd. for such excellent support and brilliant work editing, laying out, and publishing this edition. Special shout out to our co-workers at Total Seminars—Michael Smyer, Dave Rush, and Travis Everett—for listening to us rant and providing excellent feedback.
We’d like to acknowledge the many people who contributed their talents to make this book possible:
To Tim Green, our acquisitions editor at McGraw Hill: Thank you for the steady encouragement during this crazy year. You’re the best!
To Matt Walker, technical editor: Excellent working with you! Thanks for laughing at our geeky jokes and sharing great stories.
To Bill McManus, copy editor: What an absolute delight to do this project with you! Your efforts made this a much better book.
To Emily Walters, acquisitions coordinator at McGraw Hill: Thanks for the Friday meetings and slightly menacing cat-on-lap petting. Way to keep us on track!
To Neelu Sahu, project manager at KnowledgeWorks Global Ltd.: Enjoyed working with you, Neelu. Hope the somewhat chaotic pacing wasn’t too stressful!
To Lisa McCoy, proofreader: Fabulous job, thanks!
To Ted Laux, indexer extraordinaire: Well done!
To KnowledgeWorks Global Ltd. compositors: The layout was excellent, thanks!
To Janet Walden, editorial supervisor at McGraw Hill: Great to work with you on this project! Next time we’ll make a few extra changes in page proofs just for you!
To Tom Somers, production supervisor at McGraw Hill: Thanks for waving that magic wand of yours and making so much happen as smoothly as possible.
INTRODUCTION
Most societies teem with a host of networked devices, from servers to smartphones, that provide the backbone for much of modern life. People and companies use these devices to produce and sell products and services, communicate around the globe, educate at every level, and manage the mechanisms of governments everywhere. Networked devices and the complex networks that interconnect them offer advances for humanity on par with, or perhaps beyond, the Agricultural and Industrial Revolutions. That’s the good news.
The bad news is the fact that reliance on these devices creates a security risk to the resources placed on them. Networks can lose critical data and connections, both of which equate to loss of energy, confidence, time, and money. To paraphrase a few words from the American statesman, James Madison, if humans were angels, there’d be no need for security professionals. But humans are at best negligent and at worst petty, vindictive, and astoundingly creative in pursuit of your money and secrets.
Networked devices and the networks that interconnect them need security professionals to stand guard. The need for security professionals in information technology (IT) far outstrips demand, and we assume that’s why you picked up this book. You see the trend and want to take the first step to becoming an IT security professional by attaining the acknowledged first security certification to get CompTIA Security+.
This introduction starts with an overview of the goals of security, to put a framework around everything you’re going to learn. Second, we’ll discuss the CompTIA Security+ certification and look at exam details. Finally, this introduction details the overall structure of the book, providing a roadmap for studying for the exam.
Goals of Security
Traditional computer security theory balances among three critical elements: functionality, security, and the resources available to ensure both. From a functionality standpoint, systems must function as people need them to function to process the data needed. Users and other systems need to interface with systems and data seamlessly to get work done. Don’t confuse functionality with free rein. Allowing users to do whatever they wish with systems and data may result in loss, theft, or destruction of systems and data. Therefore, functionality must balance with security.
From the security standpoint, however, increasing the levels of protection for systems and data usually reduces functionality. Introducing security mechanisms and procedures into the mix doesn’t always allow users to see or interact with data and systems the way they would like. This usually means a reduction in functionality to some degree.
To add another wrinkle, the resources expended toward functionality and security, and the balance between them, are finite. No one has all the money or resources they need or as much functionality or security as they want. Keep in mind, therefore, that the relationship between functionality and security is inversely proportional; that is to say, the more security in place, the less functionality, and vice versa. Also, the fewer resources a person or organization has, the less of either functionality or security they can afford. Figure 1 illustrates this careful balancing act among the three elements of functionality, security, and resources.
Figure 1
Balancing functionality, security, and resources
Security theory follows three goals, widely considered the foundations of the IT security trade: confidentiality, integrity, and availability. Security professionals work to achieve these goals in every security program and technology. These three goals inform all the data and the systems that process it. The three goals of security are called the CIA triad. Figure 2 illustrates the three goals of confidentiality, integrity, and availability.
Figure 2
The CIA triad
NOTE
The CIA triad is put into practice through various security mechanisms and controls. Every security technique, practice, and mechanism put into place to protect systems and data relates in some fashion to ensuring confidentiality, integrity, and availability.
Confidentiality
Confidentiality tries to keep unauthorized people from accessing, seeing, reading, or interacting with systems and data. Confidentiality is a characteristic met by keeping data secret from people who aren’t allowed to have it or interact with it in any way, while making sure that only those people who do have the right to access it can do so. Systems achieve confidentiality through various means, including the use of permissions to data, encryption, and so on.
Integrity
Meeting the goal of integrity requires maintaining data and systems in a pristine, unaltered state when they are stored, transmitted, processed, and received, unless the alteration is intended due to normal processing. In other words, there should be no unauthorized modification, alteration, creation, or deletion of data. Any changes to data must be done only as part of authorized transformations in normal use and processing. Integrity can be maintained by the use of a variety of checks and other mechanisms, including data checksums and comparison with known or computed data values.
Availability
Maintaining availability means ensuring that systems and data are available for authorized users to perform authorized tasks, whenever they need them. Availability bridges security and functionality, because it ensures that users have a secure, functional system at their immediate disposal. An extremely secure system that’s not functional is not available in practice. Availability is ensured in various ways, including system redundancy, data backups, business continuity, and other means.
During the course of your study, keep in mind the overall goals in IT security. First, balance three critical elements: functionality, security, and the resources available to ensure both. Second, focus on the goals of the CIA triad—confidentiality, integrity, and availability—when implementing, reviewing, managing, or troubleshooting network and system security. The book returns to these themes many times, tying new pieces of knowledge to this framework.
CompTIA Security+ Certification
The CompTIA Security+ certification has earned the reputation as the first step for anyone pursuing a career in the highly complex, highly convoluted, and still very much evolving world of IT security. Let’s start with a description of CompTIA, then look at the specifics of the certification.
CompTIA
The Computing Technology Industry Association (CompTIA) is a nonprofit, industry-wide organization of just about everyone in the IT industry. The different aspects of CompTIA’s mission include certification, education, and public policy.
As of this writing, CompTIA offers 13 vendor-neutral certifications covering a wide range of information technology areas. Examples of some of these areas and certifications include CompTIA Linux+ (focusing on the Linux operating system), CompTIA A+ (which focuses on computer technology support fundamentals), CompTIA Network+ (covering different network technologies), and, of course, CompTIA Security+.
CompTIA certifications are considered the de facto standard in the industry in some areas. Because they are vendor neutral, almost all CompTIA certifications cover basic knowledge of fundamental concepts of a particular aspect of IT. CompTIA works hard to develop exams that accurately validate knowledge that professionals must have in that area. This enables employers and others to be confident that the individual’s knowledge meets a minimum level of skill, standardized across the industry.
The CompTIA Security+ Exam
Let’s state up front that CompTIA does not have any requirements for individuals who want to take the CompTIA Security+ exam. There are no prerequisites for certification or definitive requirements for years of experience. CompTIA does have several recommendations, on the other hand, including knowledge that might be validated by other CompTIA certifications such as the CompTIA Network+ certification. In other words, the level of networking knowledge you are expected to have before you take the CompTIA Security+ exam is the level that you would have after successfully completing the CompTIA Network+ certification. Here are CompTIA’s recommendations:
• Network+ certification
• Two years of experience in IT systems administration, with a focus on security
You should have experience in several areas, such as networking knowledge, basic information security concepts, hardware, software (both operating systems and applications), cryptography, physical security, and so on. The next few sections cover specific exam objectives that you need to know.
The following table shows the six domains in the CompTIA Security+ Certification Exam Objectives document for exam SY0-601. Each of these domains has very detailed exam objectives.
Threats, Attacks, and Vulnerabilities
Domain 1.0 is all about the attacks, from malware to application attacks. It’s critical you know your keyloggers from your RATs and your buffer overflows from your cross-site scripting. In addition, you should recognize the threat actors, from script kiddies to evil governments to incompetent users. Along with the threats and attacks, you should understand different types of vulnerabilities that enable these attacks to thrive and the two main tools you use to minimize those vulnerabilities, security assessments, and penetration testing.
Architecture and Design
Domain 2.0 explores a lot of topics under its benign-sounding title. You’re expected to explain important security concepts, such as data protection, hashing, and site resiliency. The domain covers cloud models, such as infrastructure as a service (IaaS); you’ll need to summarize containers, infrastructure as code, and virtualization. In addition, this domain covers the design of secure applications and security for embedded systems.
Domain 2.0 requires you to know how to use security devices, protocols, and tools. This domain covers the frameworks that enable secure IT, the design concepts such as defense-in-depth, and benchmarks used to measure security. This domain covers technologies to defend networks, such as VLANs, screened subnets, and wireless designs. In addition, this domain covers the design of secure applications and security for embedded systems. Domain 2.0 also covers physical security controls, such as fencing and fire prevention.
Finally, domain 2.0 expects knowledge of cryptographic concepts. You’ll get questions on symmetric versus asymmetric cryptography, for example. The objectives explore public key encryption, keys, salting, hashing, and more.
Implementation
The key with domain 3.0 is in the name, Implementation.
Concepts discussed in other domains get scenario-level in this domain. Domain 3.0 goes into great detail about authentication, authorization, and accounting. It expects you to know and implement authentication and the many identity and access services such as LDAP and Kerberos. The domain addresses authorization via user groups and accounts and the tools and methods used to control them. You’ll need to know how to implement secure wireless and mobile solutions, plus apply cybersecurity solutions to cloud computing. Finally, the domain expects you to understand how to implement public key infrastructure.
Operations and Incident Response
Domain 4.0 explores organizational security, such as incident response policies and procedures. You’ll need to know mitigation techniques and controls, plus practical forensic practices, such as how to acquire and handle evidence.
Governance, Risk, and Compliance
Domain 5.0 defines critical concepts in risk management, such as events, exposures, incidents, and vulnerability. You’re expected to know risk-related tools, such as business impact analysis, assessments, incident response, and disaster recovery/business continuity. You’ll need to understand the regulations, standards, and frameworks that impact operational security and explain policies that organizations use to implement security. Finally, the domain expects you to know how privacy and sensitive data use impacts security.
Getting Certified
This book covers everything you’ll need to know for CompTIA’s Security+ certification exam. The book is written in a modular fashion, with short, concise modules within each chapter devoted to specific topics and areas you’ll need to master for the exam. Each module covers specific objectives and details for the exam, as defined by CompTIA. We’ve arranged these objectives in a manner that makes fairly logical sense from a learning perspective, and we think you’ll find that arrangement will help you in learning the material.
NOTE
Throughout the book, you’ll see helpful Notes and Exam Tips. These elements offer insight on how the concepts you’ll study apply in the real world. Often, they may give you a bit more information on a topic than what is covered in the text or expected on the exam. And they may also be helpful in pointing out an area you need to focus on or important topics that you may see on the test.
End of Chapter Questions
At the end of each chapter you’ll find questions that will test your knowledge and understanding of the concepts discussed in the modules. The questions also include an answer key, with explanations of the correct answers.
Using the Exam Objective Map
The Exam Objective map included in Appendix A has been constructed to help you cross-reference the official exam objectives from CompTIA with the relevant coverage in the book. References have been provided for the exam objectives exactly as CompTIA has presented them—the module that covers that objective, the chapter, and a page reference are included.
Online Resources
The online resources that accompany this book feature the TotalTester exam software that enables you to generate a complete practice exam or quizzes by chapter or by exam domain. See Appendix B for more information.
Study Well and Live Better
We enjoyed writing this book and hope you will enjoy reading it as well. Good luck in your studies and good luck on the CompTIA Security+ exam. If you have comments, questions, or suggestions, tag us:
Mike: desweds@protonmail.com
Scott: jernigan.scott@gmail.com
CHAPTER 1
Risk Management
It seems to me that if there were any logic to our language, trust would be a four-letter word.
—Joel Goodson, Risky Business
IT security professionals walk a tight line between keeping systems safe from inside and outside threats and making resources available to people who need them. Perfectly secure systems would allow no access, right? If attackers can’t access the systems, they can’t break or steal anything. But such perfect
security clearly blocks legitimate users from using resources to produce anything of value. Conversely, a wide-open system provides great access for creativity and production, but also provides access to malicious people.
Security professionals provide a space in between, with enough security to stop attackers, yet enough access to enable good people to create and produce. With risk management, security folks identify and categorize risks and then systematically put controls in place to manage those risks and thus minimize their impact on the organization. As a science, risk management uses statistics, facts, scans, and numbers to align a vision, a design for the organization. As an art, security professionals craft a plan for risk management that people will buy into and actually follow.
This chapter tours IT risk management in eight modules:
• Defining Risk
• Risk Management Concepts
• Security Controls
• Risk Assessment
• Business Impact Analysis
• Data Security and Data Protection
• Personnel Risk and Policies
• Third-Party Risk and Policies
Module 1-1: Defining Risk
This module covers the following CompTIA Security+ objectives:
• 1.2 Given a scenario, analyze potential indicators to determine the type of attack
• 1.5 Explain different threat actors, vectors, and intelligence sources
In IT security, risk implies a lot more than the term means in standard English. Let’s start with a jargon-filled definition, then examine each term in the definition. We’ll review the definition with some examples at the end of the module.
Risk is the likelihood of a threat actor taking advantage of a vulnerability by using a threat against an IT system asset.
This definition of risk includes five jargon terms that require further explanation:
• Asset
• Likelihood
• Threat actor
• Vulnerability
• Threat
Defining each jargon word or phrase relies at least a little on understanding one or more of the other jargon phrases. We’ll cover these next, and then explore two related topics, vectors and threat intelligence, to round out the concept of risk. Let’s do this.
Asset
An asset is a part of an IT infrastructure that has value. You can measure value either tangibly or intangibly. A gateway router to the Internet is an example of an asset with tangible value. If it fails, you can easily calculate the cost to replace the router.
What if that same router is the gateway to an in-house Web server? If that Web server is no longer accessible to your customers, they’re not going to be happy and might go somewhere else due to lack of good faith or goodwill. Good faith doesn’t have a measurable value; it’s an intangible asset.
Here are a few more examples of assets:
• Servers The computers that offer shared resources
• Workstations The computers that users need to do their job
• Applications Task-specific programs an organization needs to operate
• Data The stored, proprietary information an organization uses
• Personnel The people who work in an organization
• Wireless access Access to the network that doesn’t require plugging into an Ethernet port
• Internet services The public- or private-facing resources an organization provides to customers, vendors, or personnel via the Web or other Internet applications
We will cover assets in much greater detail later in this chapter.
Likelihood
Likelihood means the probability—over a defined period of time—of someone or something damaging assets. Likelihood is generally discussed in a comparative nature. Here are a couple of examples:
• The company expects many attacks on its Web server daily, but few on its internal servers. The potential for a successful attack on the Web server is much more likely than on internal servers, and thus the controls—the things put in place to protect the systems—would vary a lot.
• Hard drives will likely fail after three years, with the probability of failure rising over time. The drive could fail right out of the box, but the likelihood of failure of a drive under three years old is much lower than a drive of three or more years old.
NOTE
You will also hear the term probability as a synonym for likelihood.
Threat Actor
A threat actor is anyone or anything that has the motive and resources to attack another enterprise’s IT infrastructure. Threat actors manifest in many forms. Many folks think of a threat actor as a malicious person, such as a classic hacker bent on accessing corporate secrets. But a threat actor can take different guises as well, such as programs automated to attack at a specific date or time. A threat actor could be a respected member of an organization who has just enough access to the IT infrastructure but lacks the knowledge of what not to do. The word actor here simply means someone or something that can initiate a negative event.
The CompTIA Security+ exam covers nine specific types of threat actor:
• Hackers
• Hacktivists
• Script kiddies
• Insiders
• Competitors
• Shadow IT
• Criminal syndicates
• State actors
• Advanced persistent threat
Hackers—and more specifically security hackers—have the technical skills to gain access to computer systems. White hat hackers use their skills for good, checking for vulnerabilities and working with the full consent of the target. The malicious black hat hackers, in contrast, do not have the consent of the target. Gray hat hackers fall somewhere in the middle. They’re rarely malicious, but usually do not have the target’s consent.
EXAM TIP
The CompTIA Security+ objectives use bland and nonstandard descriptive terms for hacker types. Be prepared for either term to describe/label a hacker.
—White hat = Authorized
—Black hat = Unauthorized
—Gray hat = Semi-authorized
A hacktivist is a hacker and an activist. These threat actors have some form of agenda, often political or fueled by a sense of injustice. Hacktivism is often associated with sophisticated yet loosely associated organizations, such as Anonymous.
Save the whales!
Script kiddies are poorly skilled threat actors who take advantage of relatively easy-to-use open-source attacking tools. They get the derogatory moniker because they don’t have skills that accomplished hackers possess. Their lack of sophistication makes them notoriously easy to stop, most of the time.
Insiders (or insider threats) are people within an organization. As part of the targeted organization, these threat actors have substantial physical access and usually have user accounts that give them access to assets. In fact, the absolute best way to attack an organization is to be hired by them. You get hired; they hand you the keys to the kingdom; you’re in. Insiders are often motivated by revenge or greed, but that’s not universal. Some folks just do stupid things that cause all sorts of havoc.
Shadow IT describes information technology systems installed without the knowledge or consent of the main IT department. Almost never based on malicious intent, shadow IT springs up when users need to work around limitations imposed by IT departments for purposes of security, limitations that hamper their jobs.
Isn’t it interesting that one attribute of the two previous threat actors is that they are inside the organization? The rest of the threat actors are external to the organization.
EXAM TIP
Take the time to recognize the attributes of threat actors: internal/external, intent/motivation, resources/funding, level of sophistication/capability.
Competitors are outside organizations that try to gain access to the same customers as the targeted company. Competitors, by definition in the same business, know precisely the type of secure information they want. Organizations practice competitive intelligence gathering to get information about competitors, their customers, their business practices, and so on. The information gathered can help shape business practices.
Criminal syndicates use extra-legal methods to gain access to resources. Also known as organized crime, criminal syndicates are a huge problem today. These groups are sophisticated, are well funded, and cause tremendous damage to vulnerable systems worldwide to make money.
State actors—or nation states—refers to government-directed attacks, such as the United States sending spies into Russia. Whereas criminal syndicates commonly use threats specifically to make money, state actors take advantage of vulnerabilities to acquire intelligence. Nation states have the resources—people and money—to collect open-source intelligence (OSINT) successfully—information from media (newspapers, television), public government reports, professional and academic publications, and so forth.
State actors are easily the best funded and most sophisticated of all threat actors. State actors often use advanced persistent threats (APTs), where a threat actor gets long-term control of a compromised system, continually looking for new data to steal.
NOTE
Many state actors use criminal syndicates to conduct cyberattacks against other nation states.
Vulnerability and Threat
The terms vulnerability and threat go hand-in-hand, so it makes sense to talk about both at the same time. A vulnerability is a weakness inherent in an asset that leaves it open to a threat. A threat is an action a threat actor can use against a vulnerability to create a negative effect.
Vulnerabilities and their associated threats exist at every level of an organization. Not changing the default password on a router is a vulnerability; someone taking control of your router by using the default password is the threat. Giving a user full control to a shared folder (when that user does not need nor should have full control) is a vulnerability. That same user having the capability to delete every file in that folder is a threat.
Oh no!
Threats do not have to originate only from people or organizations. Forces of nature like earthquakes and hurricanes (a big deal here in Houston, Texas) can also be threats.
As you might imagine, dealing with threats by minimizing vulnerabilities is a core component of risk management. This chapter will develop this concept in detail.
NOTE
You will see two other terms associated with the jargon phrases covered in this section, attack and incident. An attack is when a threat actor actively attempts to take advantage of a vulnerability. When the target recognizes an attack, it is called an incident. Both attacks and incidents go beyond the concept of risk and are covered in Chapter 13.
Circling Back to the Risk Definition
Now that we have explored each jargon term in some detail, let’s look at the definition of risk again and follow it with an example.
Risk is the likelihood of a threat actor taking advantage of a vulnerability by using a threat against an IT system asset.
Here’s an example of a risk:
There’s a 15 percent chance in the next month that Sally the hacktivist will guess correctly John’s password on the important company server to gain access to secret documents.
The likelihood is 15 percent over the next month. The threat actor is Sally the hacktivist. John’s lame password is a vulnerability; the threat is that Sally will get that password and use it to access the server. The assets are both the server and the secret documents. Got it? Let’s move on.
Vectors
Threat actors use a variety of attack vectors—pathways to gain access to infrastructure—to carry out attacks. In the olden days, threat actors used floppy disks or optical media as vectors to install malware or tools. Today, the only commonly used removable media are USB thumb drives, the vector of choice for a threat actor who has physical access to a target system. Other attack vectors include the classic hacker gets into your network through your router
(a.k.a. direct access), the ubiquitous vector of wireless networks (802.11, Bluetooth, cellular), and the relatively new cloud vector.
Don’t limit yourself to thinking networking when you consider vectors. Almost any application that transfers information between systems might be a vector. Threat actors can use e-mail, social media, conferencing, and even shared document applications as vectors for an attack.
Smartphones and other mobile devices and the Internet of Things (IoT) offer serious and growing attack vectors for modern organizations. Just about everyone has a smartphone with sophisticated recording—video and sound—devices built in, plus always-on connectivity to the cellular network and the Internet. Any rogue or buggy app can create a pathway into a network. IoT devices controllable from outside the network also provide a point of entry to the network. It’s a brave new world that attackers will try very hard to exploit.
The infamous Stuxnet worm that disrupted the Iranian nuclear program back in 2010 used a supply-chain vector. Threat actors (almost certainly the United States and Israel) infected printers with this worm that were then purchased by the Iranian government. This is a brutal example of a supply-chain attack.
Threat Intelligence
Cybersecurity professionals in organizations maintain and update information about past, current, and potential threats to the organization. This collection of information, called threat intelligence, helps those security professionals prepare for—and hopefully prevent—attacks on the organization.
Moreover, most security folks share information about vulnerabilities and associated threats with other professionals in the field. It’s like one big, highly paranoid family out there!
Sources for threat intelligence come from many places. Dedicated threat intelligence sources—such as vulnerability databases available on the Internet—provide a wealth of information, of course. But so do what CompTIA calls research sources—things like academic journals and social media. Security professionals dive into all of these sources to build their threat intelligence.
This section explores the types of sources available for threat intelligence gathering and provides examples. This is not an exhaustive list of specific sources—impossible and instantly outdated—but a guide to the types of sources. We’ll look at dedicated threat intelligence sources, then follow with research sources.
Threat Intelligence Sources
Dedicated threat intelligence sources enable security professionals to research potential threats to their organizations and share threats they discover with their peers. These sources reveal the past and current threats, explore potential threats by defining characteristics or signature types, and much more.
This section explores nine dedicated threat intelligence sources:
• OSINT
• Public/private information-sharing centers
• Dark Web
• Indicators of compromise
• Adversary tactics, techniques, and procedures
• Predictive analysis
• Threat maps
• File/code repositories
• Vulnerability databases
OSINT We discussed open-source intelligence (OSINT) sources earlier in this module. This category includes information gathered from media (newspapers, television), public government reports, professional and academic publications, and so forth. Security professionals rely heavily on OSINT for the big picture or the framework for the picture that can then get more specific in terms of nonpublic information layers.
Public/Private Information-Sharing Centers Motivated by the lack of coordinated information sharing between different federal organization after 9/11, the US government began a series of legislation establishing information-sharing centers, more commonly called Information Sharing and Analysis Centers (ISACs). Originally designed as government-based public entities just in the United States, most countries now have public ISACs as well as many private ISACs. ISACs communicate via Automated Indicator Sharing (AIS) tools to update each other’s databases automatically.
The US Department of Homeland Security (DHS) sponsors several specifications for facilitating cybersecurity information sharing. Trusted Automated eXchange of Intelligence Information (TAXII) enables information sharing through services and message exchanges. TAXII provides transport for threat information exchange. Structured Threat Information eXpression (STIX) enables communication among organizations by providing a common language to represent information. Cyber Observable eXpression (CybOX) provides standardized specifications for communicating about cybersecurity phenomenon and elements, from malware types to event logging. DHS has made these specifications available globally for free.
EXAM TIP
You might see a question on the CompTIA Security+ exam about DHS-sponsored specifications for cybersecurity information sharing. Only TAXII and STIX are in the objectives, though. CybOX is not mentioned.
Dark Web The Dark Web refers to Internet sites that are inaccessible without using specific applications such as the Tor network. Dark Web sites run the gamut from illegal drug sales to terrorist groups to interesting puzzles, with just about everything in between (Figure 1-1). Dark Web sites are dark
because search engines, like Google, don’t index them. You can’t find these sites with a typical Internet search, in other words, but they function just like any other Web site.
Figure 1-1 A sketchy site on the Dark Web
The Dark Web can provide a lot of important information, especially about criminal activity through sting operations conducted by law enforcement agents posing as Dark Web site visitors interested in engaging in illegal transactions. Plus, a lot of Dark Web sites offer highly entertaining, completely legal content. It’s the Wild West, so take care if (when) you venture in.
Indicators of Compromise It’s almost impossible for a threat actor to attack a system and not leave behind clues of the actor’s presence. An IT security person must recognize the artifact of an intrusion, known as an indicator of compromise (IoC). IoCs take on many forms. A sudden increase in outgoing network traffic, malware signatures, strange changes in file permissions—all of these are examples of IoCs. IoCs feature as key evidence collected in forensic investigations.
Recognizing IoCs enables cybersecurity professionals to monitor networks and provide threat monitoring tools as threat feeds—real-time data streams to recognize threats. Threat feeds work with internal networks as well as outside networks.
Adversary Tactics, Techniques, and Procedures The term adversary tactics, techniques, and procedures (TTP) describes the actions of threat actors to gain access to your infrastructure. A tactic is the goal of the attacker, such as to gain initial access to a network or system. A technique is how the attacker implements that tactic, such as using a valid account or finding a weakness in your supply chain to gain initial access. A procedure is precisely how the attacker performs the technique; for example, watching a user’s keyboard as the user enters an account password.
The MITRE ATT&CK framework incorporates TTP, breaking tactics into a dozen or so categories and providing common techniques associated with those tactics. Check it out here: https://attack.mitre.org.
EXAM TIP
CompTIA places threat feeds and TTP as types of research sources, but many researchers consider them part of dedicated threat intelligence sources. Either way, the key for the exam is that both sources enable you to enhance threat intelligence.
Predictive Analysis Every IT security professional could use a crystal ball enabling him or her to know an incident is about to take place. That’s the world of predictive analysis: using software, often artificial intelligence, to look for trends to anticipate any upcoming problems. Predictive analysis isn’t perfect for every aspect of IT security, but for issues like hardware failure prediction and network loads, predictive analysis is a powerful tool.
NOTE
Check out the Predictive Analytics portal at CIO for the latest news on the subject: https://www.cio.com/category/predictive-analytics/.
Threat Maps Threat maps are graphical representations of the geographical source and target of attacks (Figure 1-2). Threat maps are certainly pretty, but they aren’t real time and they lack any form of deep detail about the attacks. They work well for presentations, especially to show broader trends.
Figure 1-2 Cyber Threat Map from FireEye
File/Code Repositories A repository is a storage area for data files or code. Unlike archive data, repository data/code is stored in such a way that the data/code is sorted or indexed based on certain information pertinent to that data or code. Log files for an entire network over a certain number of years is one example of a file repository. Code repositories are a different matter. These are used by developers to produce and control code development. It’s rare to find anything written these days that doesn’t use a code repository like GitLab (Figure 1-3).
Figure 1-3 GitLab
EXAM TIP
CompTIA lumps file and code repositories into a single term, file/code repositories.
Vulnerability Databases The IT industry aggressively looks for vulnerabilities and their associated threats. Many governments and organizations host vulnerability databases, collections of all the known problem areas or weaknesses in deployed software. One of the most important vulnerability databases in the United States is the National Institute of Standards and Technology’s National Vulnerability Database (Figure 1-4).
Figure 1-4 NIST National Vulnerability Database
Another great source for vulnerabilities is the Common Vulnerabilities and Exposures (CVE) list provided by MITRE Corporation: https://cve.mitre.org.
Also, check out the open-source, community-driven vulnerability database, VULDB: https://vuldb.com.
There are a lot more vulnerability databases out there, but these three should get you started.
NOTE
CompTIA’s division between research sources and threat intelligence sources is somewhat arbitrary. In practice, these two areas overlap.
Research Sources
Research sources aren’t devoted exclusively to the idea of threat intelligence, but they’re always good places to look for problems in a more generic way. Whether you’re just checking a vendor forum or chatting at a conference, if security issues are out there, they’re always a hot topic. This section looks at seven common research sources:
• Vendor Web sites
• Vulnerability feeds
• Conferences
• Academic journals
• Requests for comments
• Local industry groups
• Social media
If you want to know anything about a product, go directly to the vendor Web site to do some good research (Figure 1-5). Who else knows more about a product (hopefully) than the vendor who makes or sells it? Find a support forum and dig in!
Figure 1-5 Advanced networking device manufacturer Juniper’s support forums
If you want to stay on the bleeding edge of vulnerabilities and you want them basically delivered to you, vulnerability feeds make your research easy (easier) by delivering RSS feeds, tweets, social media posts, or other methods to let you see what’s out there. There are hundreds of these types of feeds. The NVD, mentioned earlier, has a great feed.
Get out there and hit some conferences! There are plenty of great conferences at the regional, national, and international level. Every IT security person should make a trip to the famous Black Hat conference, held annually in Las Vegas and in other locations internationally (such as Black Hat Europe and Black Hat Asia).
Reading academic journals is the ultimate egghead research path, but many vulnerabilities are first brought to public attention using journals. The only challenge to reading about vulnerabilities in academic journals is that the articles often only discuss a theoretical vulnerability without showing how to do it (in many cases, someone usually does create a practical attack after an article is published).
Requests for comments (RFCs) started as the original ARPANET documents that literally defined the Internet. While this is still true, RFCs evolved to cover every aspect of TCP/IP communication and are issued by Internet Engineering Task Force (IETF), the Internet Research Task Force (IRTF), and the Internet Architecture Board (IAB). If you want the gritty details on any technology that is part of TCP/IP communications, RFCs are the place to go (Figure 1-6). All RFCs are public and can be accessed via www.rfc-editor.org.
Figure 1-6 RFC for HTTPS
Many security issues are industry specific, so joining local industry groups is almost always the best way to connect with the folks who deal with similar issues in your industry. These are often the only reliable source for industry-specific or closed/proprietary information. Search in your area for a local Information Systems Security Association International (ISSA) chapter. They’re super good: https://issa.org.
Virtually every company or organization that provides hardware, software, services, or applications has some form of bug bounty program. These programs reward people who report vulnerabilities with money, swag, and acclaim (Figure 1-7). Before you get too excited and start hacking your favorite (fill in the blank), know that all of these programs have very specific scopes and parameters. Going beyond the scope could get you in serious legal trouble. Look before you leap! And get permission before you start.
Figure 1-7 Facebook vulnerability reporting
Social media, such as Twitter and Reddit, provide a wealth of threat intelligence sources. Numerous Twitter feeds are dedicated to cybersecurity. Check out @Dejan_Kosutic—for hourly updates. The r/threatintel subreddit, while not quite as hyperactive as the Twitter feeds, has some great information as well. IT security professionals use a lot of tools to combat risk. These tools get lumped together under the term risk management.
Primarily, the tools reduce the impact of—mitigate—threats posed to an organization. Module 1-2 explores risk management concepts; later modules expand on the toolsets available. Let’s leave Module 1-1 with a definition of the job of an IT security professional:
IT security professionals implement risk management techniques and practices to mitigate threats to their organizations.
Module 1-2: Risk Management Concepts
This module covers the following CompTIA Security+ objectives:
• 5.2 Explain the importance of applicable regulations, standards, or frameworks that impact organizational security posture
• 5.3 Explain the importance of policies to organizational security
Module 1-1 ended with a pithy job description: IT security professionals implement risk management techniques and practices to mitigate threats to their organizations. To get to the implement
stage requires knowledge, naturally, and the term risk management
is loaded with meaning. This module explores four aspects of risk management: infrastructure, security controls, risk management frameworks, and industry-standard frameworks and reference architectures. Later modules build on this information to get you to the implement
step.
The term security posture (or cybersecurity posture) refers to the security status of every aspect of an organization. That includes the security of networks, systems, physical property, and intellectual property, plus all the systems, policies, and controls that implement that security. Security posture includes external entities that affect the organization, such as partners, vendors, and the supply chain. This module takes some of the theory and concepts from Module 1-1 and begins the journey to understanding the security posture.
Infrastructure
In IT risk management, the term infrastructure applies to just about every aspect of an organization, from the organization itself to its computers, networks, employees, physical security, and sometimes third-party access.
Organization
At its most basic, an organization is who you work for: your company, your corporation, your nonprofit, your governmental department. These are good potential examples of an organization, but in some cases, you might need more details. A single organization, for example, might look like a collection of smaller organizations in terms of risk management (Figure 1-8).
Figure 1-8 What’s your organization?
The big difference here is how autonomous your IT management is in relation to the overall organization. The more decisions the main organization lets a smaller group handle, the more the smaller group should look at itself as an organization. A smaller organization might be a single physical location in a different city or perhaps a different country. It might be a division of a corporation, or a regional governmental agency.
NOTE
A quick way to determine the scope of any IT infrastructure is to identify the bigwigs. A single IT infrastructure should never have more than one chief security officer, for example.
Systems
Computers and network equipment are part of an IT infrastructure, but there are many more components. People matter, such as IT managers, IT techs, human resources, chief security officer, chief information officer, and legal staff; even individual users are part of the IT infrastructure. See Figure 1-9.
Figure 1-9 We are your infrastructure.
Physical Security
Physical security is also an important part of an IT infrastructure. Fences, cameras, and guards protect your infrastructure just as well as they protect the rest of your organization. We’ll cover physical security in Chapter 7, Module 7-8.
Third-Party Access
Third parties that your organization contracts with are part of your IT infrastructure. Does your organization have an intranet that enables suppliers to access your equipment? Then those suppliers are part of your IT infrastructure. Have a maintenance contract on all your laser printers? There’s another part of your infrastructure. The company that hosts all your Web servers? Yes, they are part of your IT infrastructure as well. We’ll cover third-party access in Module 1-8.
Security Controls
The action of strengthening a vulnerability to reduce or eliminate the threat is called a security control. A security control is a directed action you place on some part of your infrastructure. Security controls don’t say how to perform the steps needed to mitigate a threat, only that they must be performed.
Here is an example of a security control in the NIST Special Publication 800-53 (Rev. 4).
IA-5 Authenticator Management
Control Description
The organization manages information system authenticators by:
a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;
b. Establishing initial authenticator content for authenticators defined by the organization;
c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
Plus about seven other points that collectively make up the security control.
You don’t have to know what all of that means yet, but do note that the controls are guidelines, not specific implementation steps. Steps required to implement the controls will vary among operating systems and network systems. The bottom line for your job as a security professional is to locate vulnerabilities and apply security controls. It’s what we do.
NOTE
The security control listed here comes from the NIST NVD in case you want to look it up: https://nvd.nist.gov/800-53/Rev4/control/IA-5.
As you might imagine, the typical infrastructure probably has thousands, if not tens of thousands, of security controls that need to be applied. How does a lone IT security pro create this list of controls? The answer is, you don’t. You use a bit of magic called a risk management framework.
Risk Management Frameworks
A framework is a description of a complex process, concentrating on major steps and the flows between the steps. A risk management framework (RMF) describes the major steps and flows of the complex process of applying security controls in an organized and controlled fashion.
EXAM TIP
The CompTIA Security+ 601 objectives use the term key frameworks as an umbrella term for the various risk management frameworks discussed in this module. That’s an objectives organizational term rather than an industry term.
One popular RMF is the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF). See Figure 1-10. This RMF is described in NIST Special Publication (SP) 800-37, Revision 2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. Originally designed as an RMF expressly for US federal organizations, the NIST RMF has been adopted as the de facto RMF by many in the IT security industry.
Figure 1-10 NIST RMF from NIST.SP.800-37r2 .pdf
The NIST RMF isn’t the only well-known framework. NIST RMF was originally designed only for government agencies (although the latest version of RMF changed its name from Federal Information Systems
to Information Systems and Organizations
). Not too many years after developing the NIST RMF, NIST introduced the NIST Cybersecurity Framework (CSF), geared more towards private industry. The NIST CSF is a similar, less comprehensive framework than the NIST RMF.
International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27001 is the international standard for best-practice information security management systems (ISMS), roughly like the NIST RMF. ISO/IEC 27002 is the international standard to help organizations enumerate—list, define—their security controls. ISO/IEC 27002 lists categories of security controls, not actual individual controls. ISO/IEC 27701 extends the ISO/IEC 27001 standard to address personal information and privacy issues.
NOTE
ISO 27001 and 27002 are certainly frameworks, but think of them more as frameworks with teeth! The EU can selectively choose to require organizations to use these frameworks as a compliance check, making them more of a standard than a simple recommendation like the NIST’s publications.
ISO 31000 provides a broad, higher-level, and less technical overview of risk management concepts and tools to implement risk management frameworks from the executive